A file with personal information of 25,000 applicants to the medical residency exam leaked this Friday, exposing numbers of DNI, phones, emails and username and password of those listed. The information was confirmed to Clarion by sources from the Ministry of Health: “It was a specific error by the system developer,” they explained.
Although the security breach has already been fixed and the information cannot be downloaded from the official site, the file is already circulating and this entails a huge danger for the safety of those who applied to the exam: your personal data is already in circulation.
During the afternoon of this Friday, several Twitter users warned of the situation, based on the corroboration of the incident by the Instagram account of Medicine graduates, which called to change passwords to avoid further problems among those affected.
The main problem is that the data was stored without any type of security measure to protect the information, which is why it could be downloaded in a .csv file, similar to a .txt.
Password change warning. Instagram photo
Computer security expert Javier Smaldone published 4 tweets explaining the situation. “Words are not enough for me to explain how gross you have to be to, in the middle of 2021, store passwords in plain text. In addition to being a nonsense in terms of security, it is already a violation of the rights of users (because even if they are not filtered, the system administrator can see the keys) ”, He added to Clarion.
It is urgent that those who applied to the exam change their passwords. “People are now going to have to change their passwords … in the mail (and social networks, because the cell phone number is enough to log in). Unfortunately, you cannot change the rest of your personal data ”, explained the IT expert.
If he @msalnacion leaked information on 25,000 people registered to take the residency exam. Including ID, phone number, email and PASSWORD (yes, they kept it in plain text). https://t.co/FWKYRIAPoo
– Javier Smaldone (@ mis2centavos) August 20, 2021
The “.txt” file, in circulation
The registry, which could be accessed from the official site of the Ministry of Health, published the personal data of those registered for a short period of time.
On Twitter, several users also tried to spread the word about the situation. Other users warned of the importance of communicating the fact so that those affected change your passwords:
I just read that data was leaked from those registered to take the residency exam (published by synapsis fmed 9 hours ago). They advise changing passwords.
I pass the data just in case 🤷
– bark💚 (@ Sa_05x2) August 21, 2021
The government leaked the passwords of all the doctors who are here to render their residency hahahaha what a beautiful country
– Karen Williams (@karuwilliams) August 20, 2021
The ministry filtered a list with the data of all those registered for the residency exam with their mails and passwords .. It can’t be that they can’t organize an exam well, that’s the way we are .. pic.twitter.com/uhmx4kRm80
– Lupi (@lupiheintz) August 20, 2021
From the health ministry they leaked all our passwords, emails, phone number, and probably the residency test was leaked. How nice to study medicine no one in history ever said.
– Alin Ludmila Garay 💚 🧡 (@AlinGaray) August 21, 2021
Information no longer available for download. The problem is that, once these types of files circulate, passwords and personal data can be sold for cybercriminals to use: from stealing personal information to extorting those involved.
The “.txt” with the keys even became a source of humor in networks.
With a friend we made a choice, we got depressed and we began to see the leaked passwords of the people. One had Matame01. Same friend, same.
– Laslo ☁️ (@_nubesdeazucar) August 20, 2021
The vulnerability of reused passwords
There is a second problem associated with passwords that exceeds the registration standard for exams: one of the most frequent errors is repeat keys on different platforms (and, according to Google, used by 52% of users).
Repeating simple passwords in all the services we use is an invitation to what is known as “credential stuffing“, a practice in which cybercriminals” sweep “logins to various services from bots until they manage to enter because, precisely, we repeat the same password everywhere.
One of the solutions to these scenarios is to use a password manager.